SSL Web Proxy - DrayTek Corp - Headquarters of DrayTek Vigor IP

SSL Web Proxy

Vigor2930, Vigor2950 and VigorPro 5500/5510 series router support SSL Web Proxy function tolet user access lots of servers in security via Internet environment. We provide a general userapplication as a reference including case description and configuration of Web interface. Thereare two modes supported in this feature including Secured Port Redirection mode and SSL mode.Please refer to the following introduction about related application and configuration.

Introduction Generally to access an internal web server which is behind a NAT router, you have the followingtwo methods:

1. Open relevant ports (Usually TCP 80) on the router.

2. Connect a traditional VPN tunnel (PPTP, L2TP or IPSec) to the router.

Drawbacks of the above methods:

1.If the web server contains private or restricted information which just allow authorizedaccess, open port is a potential security hole for hackers to exploit for invasion or filetransfer. In this case, most administrators don’t select open port.

2. There are many blocking issues involving connections in relation to GRE port blocking orESP/AH port blocking. And there are many IPSec NAT incompatibility problems. So if youare on a business trip, it happens frequently that you can’t connect a VPN to your company’srouter caused by the router/firewall in hotel, airport, etc.

Advantages of SSL Web proxy

Secured Port Redirection mode:It works like Open Port but the port opened by router is random and temporary. The random portis opened when the session is established, and closed when the connection is dropped.

SSL mode:It uses HTTPS to establish a secure connection. Typical port blocking is decreased. No NATincompatibility problem. No static IPs are required, and a VPN client is unnecessary.

Application Note (Secured Port Redirection mode)

Figure 1

OTRS is a working system which just permits the Support department to access. Gforge is another system which permits the Support, Sales, R&D etc. department to access. Both systems are based on web services. User A belongs to the Support department, and User B belongs to the Sales department. They are on business trips and need to access the systems from the Internet.

Configurations on the Router :

1. Go to the SSL VPN >> SSL Web Proxy page, and setup two entries.

2. Enter the following:

·Enter a name for the OTRS system.

·If the web server is allowed to be accessed directly through IP address, you may

input the format http://ip/directory in the URL field. Here http://172.17.1.40/login.pl

·If you have input IP address in the URL field, you needn’t setup the Host IP

Address field. In fact you will find it is grayed out.

·Select "Secured Port Redirection".

3. Enter the following:

·Enter a name for the Gforge system.

·If the web server is restricted to be accessed from domain name, you have to input

the format http://domain_name /directory in the URL field. Here is

http://swm.gforge.com

·Enter the IP address of the web server in the Host IP Address field

·Select "Secured Port Redirection".

4. Go to SSL VPN >> User Account page and add two accounts for User A and User B.

5. Enter the following:

·Enable the account.

·Setup the username/password for User A.

·You needn’t, but you’d better disable all the VPN services in this profile. Otherwise

users can also connect vpn to your router by using this account.

·Enable SSL Web Proxy, then enable relevant web servers (here both OTRS and

Gforge) for User A.

6. Enter the following:

·Enable the account.

·Setup the username/password for User B.

·You needn’t, but you’d better disable all the VPN services in this profile. Otherwise

users can also connect vpn to your router by using this account.

·Enable SSL Web Proxy, then enable relevant web servers (here only Gforge) for

User B.

7. Go to System Maintenance >> Management page and make sure HTTPS Server is

enabled. If you don’t want to use the standard TCP 443 port, change the port as

follows. Here we change it to 4443.

Steps for User A to use web proxy :

1. Open a web browser(I.E or Firefox), and go to the following URL :

https://210.243.151.187:4443

2. Internet Explorer 6 will display the below security alert stating that the security

certificate is valid but is not from a known source. Please accept the certificate with

confidence by pressing the Yes button.

Internet Explorer 7 will display the below security alert stating that the security

certificate is valid but is not from a known source. Please select the Continue to this

website (not recommended) choice.

3. A login window pops up. Input the username and password for User A.

4. If login successfully, you will see a window like the one shown below.

Press SSL Web Proxy .

5. This page will list all the web sites that you are allowed to access. In this example are

OTRS and Gforge for User A. But you are still not able to access them for the

moment. There is a button "Activate" for each web server. Press the button to open a

random port and a session for an internal server.

Press the "Activate" button for the server you would like to access.

6. After pressing the "Activate" button, the button changes to "Deactivate". And OTRS

and Gforge become OTRS and Gforge. Now you are able to access the OTRS

system and Gforge system by clicking the links OTRS and Gforge.

The OTRS system.

The Gforge system.

7. After the access, to close the session and the port you may press the Deactivate

button or simply turn off the web browser.

Steps for User B to use web proxy :

The steps are identical to the ones listed above. Just notice that after login successfully,

the SSL Web Proxy page will just list the Gforge system for User B.

Limitation of Secure Port Redirection

1. It just supports web service.

2. The web servers must be within the same subnet of the Vigor router. And they must

point their default gateways to the Vigor router. Here the Vigor router is the SSL Web

Proxy.

Application Note (SSL mode)

OTRS is a working system which is connected directly behind Vigor2950. They are within

the same subnet. Web Mail server is another system which is also behind Vigor2950 but

in a different subnet than Vigor2950. User A is on a business trip and need to access

both systems from the Internet.

Configurations on the Router :

1. Go to the SSL VPN >> SSL Web Proxy page, and setup two entries.

2. Enter the following:

·Enter a name for the OTRS system.

·If the web server is allowed to be accessed directly through IP address, you may

input the format http://ip/directory in the URL field. Here http://172.17.1.40/login.pl

·If you have input IP address in the URL field, you needn’t setup the Host IP

Address field. In fact you will find it is grayed out.

·Select "SSL".

3. Enter the following:

·Enter a name for the Web Mail.

·If the web server is restricted to be accessed from domain name, you have to input

the format http://domain_name /directory in the URL field. Here is

http://ms.mailserver.com

·Enter the IP address of the Web Mail in the Host IP Address field.

·Select "SSL".

4. Go to SSL VPN >> User Account page and add an account for User A.

5. Enter the following:

·Enable the account.

·Setup the username/password for User A.

·You needn’t, but you’d better disable all the VPN services in this profile. Otherwise

users can also connect vpn to your router by using this account.

·Enable SSL Web Proxy, then enable relevant web servers (here both OTRS and

WebMail) for User A.

6. Go to System Maintenance >> Management page and make sure HTTPS Server is

enabled. If you don’t want to use the standard TCP 443 port, change the port as

follows. Here we change it to 4443.

Steps for User A to use web proxy :

1. Open a web browser(I.E or Firefox), and go to the following URL :

https://218.242.130.126:4443

2. Internet Explorer 6 will display the below security alert stating that the security

certificate is valid but is not from a known source. Please accept the certificate with

confidence by pressing the Yes button.

Internet Explorer 7 will display the below security alert stating that the security

certificate is valid but is not from a known source. Please select the Continue to this

website (not recommended) choice.

3. A login window pops up. Input the username and password for User A.

4. If login successfully, you will see a window like the one shown below.

Press SSL Web Proxy .

5. This page will list all the web sites that you are allowed to access. In this example are

OTRS and WebMail for User A. Now you are able to access them by clicking the

links.

The OTRS system.

The WebMail

Secured Port Redirection vs SSL

1. They both just support web service.

2. Secured Port Redirection mode only work if the web servers are within the same

subnet of the SSL Web Proxy. SSL mode doesn’t have this limitation.

3. If the web server contains ActiveX controls, you’d better choose Secured Port

Redirection mode.